Sunday, November 07, 2010

If you can't prevent all breaches (and this one could have been caused by a simple typo) what can you do to mitigate the risk other than tell everyone you are sorry and offer to pay for insurance? Is there ever any effort to trace the data (here, an email) to determine who had access to it and what they did with it when they got it? Granted that most people don't even bother to turn on their logs, but in some cases it might be possible to “prove” that the breach was contained.

U.S. Workers Are on Alert After Breach of Data

November 6, 2010 by admin

Ashley Southall reports:

Federal workers at the General Services Administration are on alert against identity theft after an employee sent the names and Social Security numbers of the agency’s entire staff to a private e-mail address. The agency, which manages federal property, employs more than 12,000 people. Officials apologized to employees for the incident in a letter dated Oct. 25 — almost six weeks after the breach occurred. The agency said it had paid for employees to enroll in a one-year program to monitor their credit reports, along with up to $25,000 in identity theft insurance coverage.

Read more in the New York Times.

Interestingly, the news report provides some support for those who argue that too many notifications will lead to ignoring them:

Documents show that officials first notified employees on Sept. 28. But workers who spoke with The New York Times said they did not learn of the incident until early November, when the letters arrived in the mail. Previous notices had been sent as security alert e-mails, which employees said they received frequently and often ignored.

I’d be curious to know what those other security e-alerts were about. I do not see any notice prominently linked from GSA’s home page.

Interesting concept. As we are increasingly monitored and “classified” by our web activities, we “must” be placed in “appropriate” categories.

Article: Unraveling Privacy: The Personal Prospectus & the Threat of a Full Disclosure Future

November 7, 2010 by Dissent

Yesterday I posted a link to a thought-provoking post by Scott Peppet on Concurring Opinions. Here is the abstract of his forthcoming article in Northwestern University Law Review on the topic:

Information technologies are reducing the costs of credible signaling, just as they have reduced the costs of data mining and economic sorting. The burgeoning informational privacy field has ignored this evolution, leaving it unprepared to deal with the consequences of these new signaling mechanisms. In an economy with robust signaling, those with valuable credentials, clean medical records, and impressive credit scores will want to disclose those traits to receive preferential economic treatment. Others may then find that they must also disclose private information to avoid the negative inferences attached to staying silent. This unraveling effect creates new types of privacy harms, converting disclosure from a consensual to a more coerced decision. This Article argues that informational privacy law must focus on the economics of signaling and its unraveling of privacy.

You can download the full article from SSRN.

[From the article:

The unraveling effect holds that under certain conditions every member of a pool will ultimately reveal its type, even if at first it seems unwise for each to do so. Those with the “best” traits disclose first because their type is above average, and thus being lumped together with the rest of the pool is a detriment. As the average quality of those remaining in the pool drops, however, the new “best” individuals find themselves with the same incentive to disclose.

(Related) The march toward ubiquitous surveillance” continues.

Unraveling Privacy as Corporate Strategy

November 6, 2010 by Dissent

Scott Peppet writes:

The biometric technologies firm Hoyos (previously Global Rainmakers Inc.) recently announced plans to test massive deployment of iris scanners in Leon, Mexico, a city of over a million people. They expect to install thousands of the devices, some capable of picking out fifty people per minute even at regular walking speeds. At first the project will focus on law enforcement and improving security checkpoints, but within three years the plan calls for integrating iris scanning into most commercial locations. Entry to stores or malls, access to an ATM, use of public transportation, paying with credit, and many other identity-related transactions will occur through iris-scanning & recognition.

Read more on Concurring Opinions.

Sort of an instant 'background checker?”

How To Instantly Review Email Sender Reputation on Gmail

Open an email and instantly see background information about the person who wrote it. That’s the idea behind Rapportive, a Gmail plugin that automatically looks up their professional and social networking links and adds it to Gmail’s sidebar.

Best of all: you can leave custom notes about a person for future reference, perfect if you’re the sort of person who struggles to keep track of all the people you’re in touch with. Information displayed includes career information, links to social networks and whatever notes you yourself add to a given contact.

This is a very useful way to verify that someone writing you is the person he or she claims to be, and to keep track of the various people you write to day in day out.

A browser plugin for Firefox, Safari and Google Chrome, Rapportive takes minutes to set up.

… Installing Rapportive is simple: just head to and click the “Install” button. Assuming you use Firefox, Safari, or Chrome you should be set. Heck, the plugin even works for Mac-only Gmail client Mailplane.

Sorry, Internet Explorer users: you’re going to need a better browser to use this.

Do “in a perfect world” arguments trump “real world” facts?

Why did DOJ argue that consumers read and understand privacy policies? Are they ignorant or just unethical?

November 6, 2010 by Dissent

Over on Slight Paranoia, Chis Soghoian takes the DOJ out to the woodshed for its brief in In the Matter of the Application of the United States of America for an Order Authorizing the Use Of a Pen Register and Trap and Trace Device and Authorizing Release of Subscriber and Other Information. In that brief, the DOJ argued that consumers read and understand privacy policies and that therefore their historical cell data can be disclosed without a warrant thanks to my arch enemy, third party doctrine.

There are two issues here. The first is the notion of third party doctrine, which translates as “If you allow someone else to have your data, the Fourth Amendment doesn’t apply as you no longer have a reasonable expectation of privacy. “ Under the third party doctrine, our government has claimed it does not need a warrant to compel cell phone carriers to provide our records to them, and it seemed like they might prevail on that until a few recent decisions gave privacy advocates hope.

The second issue, though, is the frivolous argument made by the DOJ that consumers read and understand privacy policies. Chris helpfully points to the available academic research which refutes any argument the DOJ has made about what consumers read, know, or understand when it comes to privacy policies. As if additional evidence were needed, Adam Shostack reminded Chris that even Supreme Court Chief Justice Roberts has admitted that he usually doesn’t read privacy policies.

Even though the DOJ failed in its most recent application, if they should try that legally fecocktah argument again, I’d like to see opposing counsel seek sanctions against them for any claims that people read and understand privacy policies. Shame on the DOJ for even trying that one.

I also hope that the new Libertarian members of Congress play close attention to this administration’s attempt to erode privacy protections and that they will join with privacy advocates of all political persuasions to insist that more protections are provided as we update ECPA and consider other legislation that might give the government greater unchecked access to our personal information.

Read Chris’s blog entry here.

Interesting question. Would a Cloud user/vendor default storage to “the cloud” (i.e. wherever there is the best combination of room for the data and free processing cycles to manage the collection and storage)

AU: Google must return wifi data: Privacy lobby

November 6, 2010 by Dissent

James Riley reports:

The Australian Privacy Foundation is still seeking confirmation that the personal information of local citizens collected by Google Australia through its StreetView cars is being stored in Australia.

The organisation says if the personal data – including whole emails, bank account details and passwords – has been moved offshore it should be returned to Australia immediately.

But having written to all parties involved last May – Google Australia, the Office of the Australian Privacy Commissioner, the Attorney General’s department and the Australian Federal Police – the APF has yet to be formally told whether the payload data will be kept, or where it is currently stored.

Read more on ITWire. The AFP is clearly unhappy with the investigation and lack of transparency and responsiveness to their concerns, and they do not want the data destroyed until there’s been a fuller investigation and understanding of what has happened.

It's not like having your own lawyer advising you, but it's better than nothing (the previous version)

New FTC portal to assist businesses in complying with privacy and security laws

November 6, 2010 by Dissent

From the FTC’s press release:

The Federal Trade Commission has a new Business Center at that gives business owners, attorneys, and marketing professionals the tools they need to understand and comply with the consumer protection laws, rules, and guides the FTC enforces.

The Business Center provides practical, plain-language guidance about advertising, credit, telemarketing, privacy, and a host of other topics. A series of short videos explain the bottom line about what businesses need to know to comply, and the Business Center blog gives readers the latest compliance tips and information.

A new video encourages businesses to use and share the free resources in the Business Center to enhance compliance and build their customers’ trust. Companies can use the compliance tips in their newsletters and blogs, share the resources with their social and professional networks, use the videos for in-house trainings or presentations, and order free materials to hand out at conferences or community events.

Privacy and Security resources on the site are linked from here and include links to relevant federal laws, case notes, upcoming workshops and events, and compliance documents. A separate compilation of resources on Data Security can be found here.

Looks like the protest is spreading (and so are the pilots, for their “enhanced pat-down with extra vigorous genital grope”)

American Airlines Pilots in Revolt Against the TSA

November 6, 2010 by Dissent

Jeffrey Goldberg writes:

This is a letter from Captain Dave Bates, the president of the Allied Pilots Association, which represents 11,000 American Airlines pilots, to his members, in which he calls on pilots to refuse back-scatter screening and demand private pat-downs from TSA officers. Bates’s argument is multifaceted and extremely cogent. He worries about increased exposure to radiation, of course (a big worry among commercial pilots) and he is eloquent on the subject of intentional humiliation:

There is absolutely no denying that the enhanced pat-down is a demeaning experience. In my view, it is unacceptable to submit to one in public while wearing the uniform of a professional airline pilot. I recommend that all pilots insist that such screening is performed in an out-of-view area to protect their privacy and dignity.

Read more in The Atlantic.

Cyber war games. For my Computer Security students

Europe Simulates Total Cyber War

Posted by Soulskill on Saturday November 06, @01:01PM

"The first-ever cross-European simulation of an all out cyber attack was planned to test how well nations cope as the attacks slow connections. The simulation steadily reduced access to critical services to gauge how nations react. The exercise also tested how nations work together to avoid a complete shut-down of international links. Neelie Kroes, European commissioner for the digital agenda, said the exercise was designed to test preparedness and was an 'important first step towards working together to combat potential online threats to essential infrastructure.' The exercise is intended to help expose short-comings in existing procedures for combating attacks. As the attacks escalated, cyber security centers had to find ever more ways to route traffic through to key services and sites. The exercise also tested if communication channels, set up to help spread the word about attacks, were robust in the face of a developing threat and if the information shared over them was relevant."

[From ENISA:

- On 10th November, the Agency will make a media briefing in Berlin, at the Commission Representation, providing more information and draft conclusions about the outcome of the exercise.

… Link to exercise FAQs (full details re scope, objectives, background etc).

Fits into my “Make them pay like it's a purchase, but treat them like it's a short term lease” category

Analyzing Amazon's E-Book Loan Agreement

Posted by Soulskill on Saturday November 06, @08:24PM

"The Economist has a knowledgeable mainstream take on the restrictions publishers are forcing on e-books. From the article: 'They wish you to engage in two separate hallucinations. First, that their limited license to read a work on a device or within software of their choosing is equivalent to the purchase of a physical item. Second, that the vast majority of e-books are persistent objects rather than disposable culture. ... Just as with music, DRM will be cracked. As more people possess portable reading devices, the demand and availability for pirated content will also rise. (Many popular e-books can now be found easily on file-sharing sites, something that was not the case even a few months ago, as Adrian Hon recently pointed out.)"

End users are even less likely to go to court and defend their “right to porn”

Porn Maker Sues 7,000+ For Copyright Infringement

Posted by Soulskill on Sunday November 07, @02:19AM

This summer, we discussed news that the producers of The Hurt Locker had sued 5,000 people for sharing the movie over BitTorrent. Reader suraj.sun writes with word that a porn company is now following suit, filing a complaint targeting 7,098 people for illegally sharing one of their films. Quoting:

"Axel Braun Productions filed the complaint Friday in US District Court for the Northern District of West Virginia, alleging that the defendants illegally shared the adult film Batman XXX: A Porn Parody. The film was written and directed by Axel Braun and distributed by Vivid Entertainment, one of the country's best known porn studios. ... '**** 'em all,' Braun told Xbiz. 'People don't realize that when you pirate a movie it hurts all of the people who work very hard to get it produced — from the cast to the production assistants to the makeup artists. So we are going after every one of them who pirates our content.'"

For my Criminal Justice students, because I don't want them to confiscate my brownies...

Aunt Sandy's Medical Marijuana Cookbook Hits The Spot

… it is one of the most gorgeously produced books I've seen in a long, long time, with stunning full-page photographs of finished dishes and well-presented, knowledgeable information from a veteran in the field.

… Aunt Sandy also includes adaptations for diabetic, gluten-free, vegetarian, and other diets.

Now I can design an appropriate T-shirt for each class: C3PO for Intro to Computers, Evil Knievel for Risk Analysis, Exploding Brains for Math, Zombies for Computer Security...

ShirtMockup: Free T-Shirts Mockup Site

If you have a custom t-shirt idea, the best way to visualize the completed form is Shirt Mockup.

VoiceBase: Transcribe Audio To Text Automatically Online

Lecturers and speakers often record their presentation’s audio and appoint somebody to transcribe it. By converting the audio into text files, the audio can be made searchable on the web, making it easier for others to find.

A web service that lets you perform this task with greater ease is VoiceBase.

VoiceBase lets you upload audio files and transcribe audio to text automatically online. You can check the site’s transcription for any errors and correct them manually. The audio file, along with its transcription, is then hosted on your VoiceBase account.

You can make it public and searchable for other users. They can search the content in the transcription and jump to the audio position relevant to their search.

Free users of the service get up to 2 hours of audio storage that is kept online for a year. For more storage you can opt for the paid package.

Also read relate article “How To Transcribe Audio & Video Files Into Text With The Help Of Express Scribe“.

Best overview of WolframAlpha capabilities and commands I have seen.

Life After Wolfram|Alpha: What You (and Your Students) Need to Know

No comments: